Tyupkin malware used to steal cash from ATMs

Tyupkin malware used to steal cash from ATMs

Recently there have been indications that criminals have developed a sophisticated form of attack using malware installed on PCs running ATM software. The malware (dubbed Tyupkin) has been installed on at least 50 ATMs in Europe, and has resulted in the theft of millions of dollars in cash.

The malware was first discovered when a financial institution called in Kaspersky Lab to find out why cash was disappearing from several of its ATMs. The investigation uncovered the Tyupkin malware; this was allowing criminals to extract cash from ATMs. The malware runs on 32 bit Windows; its default setting is to only allow commands to be run on Sunday and Monday nights. These times are probably chosen because less people are likely to be out and therefore are less likely to be witnesses to a thief extracting money from an ATM.

Figure A illustrates the process criminals used.

MailShark Tyupkin malware used to steal cash from ATMs
Figure A – Click to Enlarfge

Tyupkin was installed by the criminals using a bootable CD-ROM. The first step in installing the malware was to gain physical access to the machine. Whilst the actual cash on ATMs is very secure, the PC or laptop running the software is often not as secure. The actual persons that install the malware may be different to the persons who operate the ATM. The people that operate the ATM with a view to extracting the cash are known as money mules, or just mules.

To interface with the malware, a command is typed by the mule. The malware will then display a random number. For the mule to continue, a number corresponding to the random number must be entered. The number the mule enters is derived from an algorithm, and is unique. The person withdrawing money can choose which cassette to withdraw from. Once selected, the ATM will dispense 40 banknotes.

The cash on ATMs is secure; the PC or laptop running the software is often not as secure. Many cabinets containing the PC are protected by a single lock, and do not have alarms. At a minimum, the recommendation is to ensure the keys are changed on the locks, and the cabinet is alarmed.

At this stage, the number of infected ATMs worldwide is unknown. Interpol is now investigating the case. Secure List has more detailed information on this exploit, including the changes made to the registry by the malware, and a video showing the operation of the malware.

Scott Reeves
MailShark
Free anti-spam service
Free email filter service

Share This Post

Post Comment